The plugin does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. When creating a new Question Pot, you can inject an XSS payload like "><script>alert(1)</script> in the Quiz Name.
2. When adding a new quiz, you can inject an XSS payload like "><script>alert(1)</script> in the Quiz Name.
3. When managing the plugin's Email Setting, you can inject an XSS payload like "><script>alert(1)</script> in the "And from this name" field.